Apple Fixes Mountain Lion, Safari

Tuesday, September 17, 2013 @ 05:09 PM gHale

Apple pushed out patches last week and updated its OS X Mountain Lion to 10.8.5, improving “stability, compatibility and security” issues and fixing 30 different vulnerabilities in the operating system.

The update fixes multiple vulnerabilities in Apache that could have led to a cross-site scripting error and vulnerabilities in BIND that could have led to a denial of service attack. Other fixes, including some in assorted components like PostgreSQL, PHP and OpenSSL fixed errors that could have led to arbitrary code execution, data corruption or privilege escalation problems.

Apple also updated its Certificate Trust Policy, adding and removing several root certificates from the list of trusted system roots. Apple also patched its Installer function, which previously presented a dialog to let the user continue when it encountered a revoked certificate. Now, the system refuses any revoked package.

The update also resolved the previously reported sudo vulnerability. An attacker could gain root privileges on a system where sudo, a Linux command that manages user privileges on several types of systems, saw use before. “On OS X, only admin users can change the system clock. This issue was addressed by checking for an invalid timestamp,” read the security document released with the patches Thursday.

Thursday also saw the release of Safari 5.1.10, Apple’s browser. A JavaScriptCore patch fixed multiple memory corruption issues, including one where if a user visited a maliciously crafted website, it could lead to an unexpected application termination or arbitrary code execution.

10.8.5 is likely the last update Apple users will see for the company’s “cat” series (Lion, Mountain Lion, etc) of operating systems. The next iteration of Apple’s OS, Mavericks, is on tap for release at the end of October.

On the security front, Apple has already announced in its Core Technologies Overview (.PDF) that Mavericks will feature more finely tuned Address Space Layout Randomization (ASLR), compressed memory, sandboxes and code signing entitlements.